I found that the I'm getting a 403 because TomEERealm.hasResourcePermission()
compares my logged in role (Administrator) with the only security constraint
that it has within its context (which is 'default'). I would have assumed
that somehow the @DeclareRoles(value = {"Administrator"}) would have also
added a security constraint for 'Administrator'. But since only 'default'
exists, the method returns false for hasRole().
RealmBase.hasResourcePermission() (base class of TomEERealm)
- roles == [default]
- principle == GenericPrincipal[tomee(Administrator,)]
for (int j = 0; j < roles. length; j++) {
if (hasRole( null, principal, roles[j])) {
status = true ;
if ( log .isDebugEnabled() )
log .debug( "Role found: " + roles[j]);
}
else if ( log.isDebugEnabled() )
log .debug( "No role found: " + roles[j]);
}
I then took a look to see how the security constraints are built. Below is
the only reference I see to adding security roles (and is where the
'default' is coming from):
TomcatWsRegistry.createNewContext(ClassLoader, String, String, String,
String)
SecurityConstraint sc = new SecurityConstraint();
sc.addAuthRole( "*" );
sc.addCollection(collection);
sc.setAuthConstraint( true );
sc.setUserConstraint(transportGuarantee);
context.addConstraint(sc);
context. addSecurityRole( "default");
Could this have something to do with me deploying my webservice as a jar
(and not within a war - defining constraints within web.xml)? How else
would the WS's declared roles be added?
--
View this message in context:
http://openejb.979440.n4.nabble.com/webservice-security-basic-auth-tp4662743p4662820.html
Sent from the OpenEJB User mailing list archive at Nabble.com.
